[j-nsp] MACsec over a service provider

[Chuck Anderson]

Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is
eaten by the PE router (MX480).  I'm not sure about the ASR9k at the
other end of the production scenario--it may have the same trouble.

My lab is like this, with the EX2200 substituting for the ASR9k.  The
idea is to have MACsec between the EX4300s, with the middle being
transparent to it.

I got this working:

EX4300---EX2200---EX4300

For the EX2200, I had to configure layer2-protocol-tunneling to allow
the EAPOL 802.1x through:

vlans {
    MACSEC-TRANSPORT {
        vlan-id 10;
        ##
        ## Warning: requires 'dot1q-tunneling' license
        ##
        dot1q-tunneling {
            layer2-protocol-tunneling {
                all;
            }
        }
    }
}

MACsec comes up fine on both EX4300s and I can ping between them.


But this fails:

EX4300---EX2200---MX480---EX4300

I'm doing simple bridging through the MX, but the MX doesn't support
the mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to
work around that limitation?

On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> Hello
> 
> Ethertypes 0x888e and 0x88e5 should be supported by the switching hw,
> no any other special requirements. 
> Btw keep in the mind macsec overhead, +32.
> 
> regards, Eli
> 
> On Fri, 27 Oct 2017 10:23:01 -0400
> Chuck Anderson <cra at WPI.EDU> wrote:
> 
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.